WO2023236125A1 - Commande de correctif en direct d'application pour détection de logiciel malveillant de dispositif grand public - Google Patents

Commande de correctif en direct d'application pour détection de logiciel malveillant de dispositif grand public Download PDF

Info

Publication number
WO2023236125A1
WO2023236125A1 PCT/CN2022/097752 CN2022097752W WO2023236125A1 WO 2023236125 A1 WO2023236125 A1 WO 2023236125A1 CN 2022097752 W CN2022097752 W CN 2022097752W WO 2023236125 A1 WO2023236125 A1 WO 2023236125A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
live
patch
security policy
specific
Prior art date
Application number
PCT/CN2022/097752
Other languages
English (en)
Inventor
Qiming Li
Gang LIAN
Tailiang Hong
Yucheng DAI
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Priority to PCT/CN2022/097752 priority Critical patent/WO2023236125A1/fr
Publication of WO2023236125A1 publication Critical patent/WO2023236125A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/656Updates while running
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/54Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • G06F8/658Incremental updates; Differential updates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present disclosure relates generally to the field of malware detection on consumer devices, and more particularly to a method for control of live-patching of an application on an electronic device, to the corresponding electronic device, to a method for control of live-patching of an application on a plurality of electronic devices, and to a corresponding analyzer engine.
  • Application live-patch refers to methods that allow applications to update their code and content after they are installed, without end-user explicitly installing updates or patches.
  • an application performing live-patch would download new executable code and/or content during their runtime and dynamically loads to downloaded code or content so that part of their original code or content is replaced.
  • the downloaded executable code may be in the form of executable programs, but it is more common to be in the form of dynamically loadable shared libraries, compiled bytecode, or even source code.
  • Such methods are commonly observed in many applications for consumer devices such as mobile phones, where an application developer embeds a live-patch framework or library into the application to be published.
  • the live-patch framework or library would check from a 3 rd party live-patch server from time to time to see if there is any update.
  • the application developer decides to publish an update in the form of a live-patch, the developer would update the patch to the live-patch server, so that the installed applications would download the patches via the live-patch framework or library and loads them during runtime.
  • Exemplary methods to detect and/or mitigate the risks of malware introduced by application live-patch essentially employ a detect-and-block strategy, wherein malware code is first detected (either before or after distribution) , and then the associated application is prevented from launching (by way of blacklisting, quarantining, etc. ) or is uninstalled.
  • a detect-and-block strategy wherein malware code is first detected (either before or after distribution) , and then the associated application is prevented from launching (by way of blacklisting, quarantining, etc. ) or is uninstalled.
  • Such a strategy is unsatisfactory in a number of ways.
  • live-patch frameworks or libraries may be blocked before actual malicious code is found, and/or not be blocked accurately, since developers may avoid detection by using a less popular framework or library, developing their own application specific live-patch frameworks or libraries, or using ad-hoc methods such as directly downloading from some known web locations using standard networking libraries.
  • a method for control of live-patching of an application on an electronic device.
  • the method comprises collecting application-specific live-patch statistics related to the application; obtaining, from an analyzer engine disposed remotely from the electronic device, a device-specific security policy for the electronic device in accordance with the application-specific live-patch statistics; and applying the device-specific security policy on the electronic device.
  • This may selectively prevent high-risk application live-patch operations on a consumer device, by reported and intercepting live-patch operations in accordance with a security policy formed by a cloud-generated policy taking into account the live-patch statistics of a plurality of electronic devices, and a user-defined policy relating to the particular electronic device at hand.
  • the method may further comprise modifying the device-specific security policy on the electronic device in accordance with user feedback.
  • the collecting may comprise monitoring, by an application manager of the electronic device, whether a file manipulated by the application is being executed; determining, by the application manager, the application-specific live-patch statistics related to the application and the file executed by the application; and submitting, by the application manager to a live-patch manager of the electronic device, the application-specific live-patch statistics.
  • the application-specific live-patch statistics may comprise at least one of: an identifier of the application, a path name of the file executed by the application, and a hash value of a content of the file.
  • a plurality of applications may be monitored device-internally with respect to live-patching, without breaching a user privacy by unnecessary network communications.
  • the application manager may comprise an application management system service of the electronic device.
  • An application manager as used herein may refer to a software entity hosted on the electronic device which is responsible for monitoring file accesses made by applications, including writing and loading files that contain executable code or bytecode.
  • a live-patch manager as used herein may refer to a software entity hosted on the electronic device which is responsible for an information exchange as regards application live-patching.
  • the collecting may further comprise retrieving, by the live-patch manager, the application-specific live-patch statistics; aggregating, by the live-patch manager, the application-specific live-patch statistics over a period of time; and anonymizing, by the live-patch manager, the application-specific live-patch statistics.
  • the anonymized live-patch statistics may comprise at least one of: a hash value of the identifier of the application, a hash value of the path name of the file executed by the application, and a hash value of the content of the file.
  • the anonymization allows a detection of malware, assessing a risk involved, and generating a security policy accordingly, without revealing information that is not necessary for malware detection, such as application or file characteristics, names or identifiers of applications etc. Thereby, a user privacy is improved.
  • the live-patch manager may comprise a live-patch management system service of the electronic device.
  • the analyzer functionality required for a plurality of electronic devices is advantageously centralized.
  • the obtaining of the device-specific security policy may comprise submitting, by the live-patch manager to the analyzer engine, the application-specific live-patch statistics; retrieving, by the live-patch manager, the device-specific security policy; and de-anonymizing, by the live-patch manager, the device-specific security policy.
  • the de-anonymized device-specific security policy may comprise at least one of: the identifier of the application, the path name of the file executed by the application, and the action relating to the application and/or the file.
  • the device-specific security policy and its associated action may prevent specified live-patch operations of applications. Thereby, a more fine-grained response to malware detection is facilitated.
  • the applying of the device-specific security policy may comprise causing, by the live-patch manager, a security policy engine of the electronic device to enforce the device-specific security policy; and retrieving, by the live-patch manager, policy enforcement statistics related to the application.
  • a security policy engine as used herein may refer to a system service hosted on the electronic device, which is responsible for enforcing security policies by utilizing capabilities provided by an operating system of the electronic device, and for reporting enforcement statistics.
  • the modifying of the device-specific security policy may comprise displaying, by the live-patch manager, the device-specific security policy and/or the policy enforcement statistics related to the same on a user interface; receiving, by the live-patch manager, a modification of the device-specific security policy via the user interface; and causing, by the live-patch manager, the security policy engine of the electronic device to enforce the modified device-specific security policy.
  • the device-specific security policy may automatically be generated taking into account the live-patch statistics of a plurality of electronic devices.
  • the malware detection engine may comprise a malware detection cloud service.
  • an electronic device comprising a processor being configured to perform the method of the first aspect or any of its implementations.
  • FIG. 1 illustrates a method for control of live-patching of an application on an electronic device in accordance with the present disclosure
  • FIG. 2 illustrates a method for control of live-patching of an application on a plurality of electronic devices in accordance with the present disclosure
  • a disclosure in connection with a described method may also hold true for a corresponding apparatus or system configured to perform the method and vice versa.
  • a corresponding device may include one or a plurality of units, e.g. functional units, to perform the described one or plurality of method steps (e.g. one unit performing the one or plurality of steps, or a plurality of units each performing one or more of the plurality of steps) , even if such one or more units are not explicitly described or illustrated in the figures.
  • a specific apparatus is described based on one or a plurality of units, e.g.
  • FIG. 1 illustrates a method 1 for control of live-patching of an application on an electronic device 3 in accordance with the present disclosure.
  • the method 1 comprises collecting 11 application-specific live-patch statistics related to the application.
  • the collecting 11 may comprise monitoring 111, by an application manager 311 of the electronic device 3, whether a file manipulated by the application is being executed.
  • the application manager 311 may comprise an application management system service of the electronic device 3.
  • the collecting 11 may further comprise determining 112, by the application manager 311, the application-specific live-patch statistics related to the application and the file executed by the application.
  • the application-specific live-patch statistics may comprise at least one of: an identifier of the application, a path name of the file executed by the application, and a hash value of a content of the file.
  • the collecting 11 may further comprise submitting 113, by the application manager 311 to a live-patch manager 312 of the electronic device 3, the application-specific live-patch statistics.
  • the live-patch manager 312 may comprise a live-patch management system service of the electronic device 3.
  • the collecting 11 may further comprise retrieving 114, by the live-patch manager 312, the application-specific live-patch statistics.
  • the collecting 11 may further comprise aggregating 115, by the live-patch manager 312, the application-specific live-patch statistics over a period of time.
  • the collecting 11 may further comprise anonymizing 116, by the live-patch manager 312, the application-specific live-patch statistics.
  • the anonymized live-patch statistics may comprise at least one of: a hash value of the identifier of the application, a hash value of the path name of the file executed by the application, and a hash value of the content of the file.
  • the method 1 further comprises obtaining 12, from an analyzer engine 4 disposed remotely from the electronic device 3, a device-specific security policy for the electronic device 3 in accordance with the application-specific live-patch statistics.
  • the analyzer engine 4 may comprise an analyzer cloud service.
  • the obtaining 12 of the device-specific security policy may comprise submitting 121, by the live-patch manager 312 to the analyzer engine 4, the application-specific live-patch statistics.
  • the obtaining 12 of the device-specific security policy may further comprise retrieving 122, by the live-patch manager 312, the device-specific security policy.
  • the obtaining 12 of the device-specific security policy may further comprise de-anonymizing 123, by the live-patch manager 312, the device-specific security policy.
  • the de-anonymized device-specific security policy may comprise at least one of: the identifier of the application, the path name of the file executed by the application, and the action relating to the application and/or the file.
  • the method 1 further comprises applying 13 the device-specific security policy on the electronic device 3.
  • the applying 13 of the device-specific security policy may comprise causing 131, by the live-patch manager 312, a policy engine 313 of the electronic device 3 to enforce the device-specific security policy.
  • the applying 13 of the device-specific security policy may further comprise retrieving 132, by the live-patch manager 312, policy enforcement statistics related to the application.
  • the method 1 may further comprise modifying 14 the device-specific security policy on the electronic device 3 in accordance with user feedback.
  • the modifying 14 of the device-specific security policy may comprise displaying 141, by the live-patch manager 312, the device-specific security policy and/or the policy enforcement statistics related to the same on a user interface.
  • anonymizing 116 step it is noted that it is possible to anonymize the application statistics collected by the live-patch manager 312 in such a way that the analyzer engine 4 only receives enough information to perform its analysis.
  • the statistics collected by the live-patch manager 312 may contain information such as the name and identifiers of the applications, the paths of files written and loaded by these applications, hash values of these files, the time at which the files are accessed, and so on.
  • information such as the name and identifiers of the applications, the paths of files written and loaded by these applications, hash values of these files, the time at which the files are accessed, and so on.
  • only the hash values of the files are sent to the analyzer engine 4, which are then used to compare with the malware database.
  • the live-patch manager 312 may generate a temporary application identifier at random for each application in the collected statistics, and associate the temporary identifier to the hash values instead of the real application name or identifier. In this way, the analyzer engine 4 would still have sufficient data to perform the analysis but the identity of the applications are hidden from the analyzer engine 4. In any case, the analyzer engine 4 knows only if malicious code with specific hash values exists on a device but learns nothing else. After the signed security policy is received from the analyzer engine 4 and its signature validated, the live-patch manager 312 may de-anonymize the policy by replacing the temporary application identifiers to the real identifiers or names.
  • an encryption function may be applied on the data that needs to be anonymized.
  • the corresponding decryption function can then be applied to de-anonymize the data.
  • a keyed hash function may be applied to anonymize the data.
  • the de-anonymization is similar to temporary random identifiers, where the original data needs to be recorded and associated with the hash value so that de-anonymization can be done via a table lookup.
  • an example policy definition is provided that would make sense in many electronic (e.g., mobile or tablet) devices 3, where each installed application is identified by an integer that is unique among all applications on the same device 3, and each application is allowed to write to an application specific data directory by default without requesting for extra permissions from the end user.
  • the live-patch operations of the applications involves downloading and writing code to a specific file under the application data directory and later loading the code from the file.
  • a security policy may contain rules, where each rule may look like below.
  • the application identified by the integer value “5000” cannot write a file at the path “/data/app/5000/plugin/libxyz. so” if it does not exist, and cannot open it for reading if it already exists. Furthermore the policy engine 313 would report to the live-patch manager 312 when the application tries to write to the file.
  • Such security rules assume that the application “5000” always tries to write live-patch code to specific locations in the file system, which is typically the case with many known live-patch frameworks or libraries. If an application developer or live-patch framework/library developer attempts to circumvent such straight-forward security policy rules, more complex rules and enforcement mechanisms may be required. In other words, the security policy definition and enforcement should not be seen as a static process but rather an evolving one.
  • FIG. 2 illustrates a method 2 for control of live-patching of an application on a plurality of electronic devices 3 in accordance with the present disclosure.
  • An analyzer engine 4 comprising a processor 41 is provided.
  • the processor 41 may be configured to perform said method 2.
  • the method 2 comprises providing 21, by an analyzer engine 4 disposed remotely from the plurality of electronic devices 3, a device-specific security policy for the electronic device 3 in accordance with application-specific live-patch statistics related to the application on the plurality of electronic devices 3.
  • the analyzer engine 4 may comprise an analyzer cloud service.
  • the providing 21 of the device-specific security policy may comprise retrieving 211 the application-specific live-patch statistics relating to each of the plurality of electronic devices 3.
  • the providing 21 of the device-specific security policy may further comprise aggregating 212 the application-specific live-patch statistics over a period of time.
  • the providing 21 of the device-specific security policy may further comprise filtering 213 the application-specific live-patch statistics.
  • the providing 21 of the device-specific security policy may further comprise acquiring 214, from a malware detection engine 5, an application-specific security policy in accordance with the application-specific live-patch statistics relating to the plurality of electronic devices 3.
  • the application-specific security policy may define if the file executed by the application is potentially malicious.
  • the malware detection engine 5 may comprise a malware detection cloud service.
  • the malware detection cloud service may be configured to determine if any of the files involved in application live-patching are potentially malicious.
  • the malware detection cloud service may be an on-line service provided by an anti-virus or anti-malware company.
  • the providing 21 of the device-specific security policy may further comprise generating 215 the device-specific security policy in accordance with the application-specific security policy.
  • the device-specific security policy may define an action relating to the application and/or the file executed by the application.
  • the providing 21 of the device-specific security policy may further comprise digitally signing 216 the device-specific security policy, and may further comprise submitting 217 the device-specific security policy to the electronic device 3.
  • FIG. 3 illustrates a message flow in accordance with the present disclosure.
  • the electronic device 3 comprises a processor 31 being configured to perform the method 1 for control of live-patching of an application on an electronic device 3.
  • the electronic device 3 further comprises executable code relating to an application manager 311, a live-patch manager 312, and a policy engine 313, respectively.
  • the analyzer engine 4 comprises a processor 41 being configured to perform the method 2 for control of live-patching of an application on a plurality of electronic devices 3.
  • a number of applications may be installed on the electronic device 3, either from an official application distributor, a 3 rd party application distributor, or by an end user.
  • these applications may write executable code or bytecode as files into specific locations of the file systems provided by the operating system of the electronic device 3, and may load and execute such code or bytecode at a later time.
  • Such application behaviors may be monitored and recorded by the application manager 311.
  • the application manager 311 may use the recorded data to determine which operations are live-patch operations of the applications. For example, the application manager 311 may monitor all file accesses from a specific application, and check if files created by the application contains executable code or bytecode, and if such code is later executed. Similarly, the application manager 311 may also monitor modifications to existing files that contain executable code or bytecode, and see if the modified file is later loaded and executed by the application. If a file containing such live-patch code or bytecode is executed, the characteristics of the application and the file, such as the application identifier, the file name/path and the hash value if the file content, is collected and sent to the live-patch manager 312 on the electronic device 3.
  • This initial phase of the method 1 may be referred to as statistics collection phase “A” indicated on the right of FIG. 3.
  • the characteristics of the files may then be sent to the malware detection engine 5 to determine if any of the files involved in application live-patch are potentially malicious, in accordance with the method step 214 mentioned previously.
  • the received security policy may then be received, validated and de-anonymized by the live-patch manager 312, in accordance with the method steps 122-123 mentioned previously.
  • This second phase of the methods 1, 2 may be referred to as policy distribution phase “B” indicated on the right of FIG. 3.
  • the underlying operation system should reject the access request from the application.
  • the file access may be one of the common file system operations, such as file creation, opening, reading, writing or deletion.
  • the actual mechanisms on top of which such enforcement can be implemented depend on the capabilities provided by the operating system and other system services hosted on the electronic device 3.
  • This third phase of the method 1 may be referred to as policy enforcement phase “C” indicated on the right of FIG. 3.
  • the statistics of the policy enforcement may also be collected, such as which file accesses are rejected or allowed, whether any errors or unexpected events occurred, and the like, in accordance with the method step 132 mentioned previously.
  • the status and the statistics may include information such as a list of applications that have attempted live-patch operations, a list of applications whose live-patch operations are controlled by the current security policy, a list of operations that are rejected according to the policy, a list of operations that are allowed, the last time a cloud policy was received, the status of the security policy engine, and so on.
  • Such decisions may then be translated to a local security policy by the live-patch manager 312, which is then combined with the cloud policy to form a final aggregated (i.e., modified) security policy, and the policy engine 313may be reconfigured with the aggregated security policy to take it into effect, in accordance with the method step 143 mentioned previously.
  • a computer program may be stored/distributed on a suitable medium, such as an optical storage medium or a solid-state medium supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems.
  • a suitable medium such as an optical storage medium or a solid-state medium supplied together with or as part of other hardware, but may also be distributed in other forms, such as via the Internet or other wired or wireless telecommunication systems.

Abstract

Est divulgué un procédé (1) de commande de correction en direct d'une application sur un dispositif électronique (3). Le procédé (1) comprend la collecte (11) de statistiques de correctif en direct spécifiques à une application associées à l'application; l'obtention (12), à partir d'un moteur d'analyseur (4) disposé à distance du dispositif électronique (3), d'une politique de sécurité spécifique au dispositif pour le dispositif électronique (3) conformément aux statistiques de correctif en direct spécifiques à l'application; et l'application (13) de la politique de sécurité spécifique au dispositif sur le dispositif électronique (3). Ceci permet la détection et la prévention sélective d'opérations de correctif en direct à haut risque effectuées par des applications, d'une manière qui est plus transparente et conviviale pour les développeurs et les utilisateurs finaux.
PCT/CN2022/097752 2022-06-09 2022-06-09 Commande de correctif en direct d'application pour détection de logiciel malveillant de dispositif grand public WO2023236125A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/097752 WO2023236125A1 (fr) 2022-06-09 2022-06-09 Commande de correctif en direct d'application pour détection de logiciel malveillant de dispositif grand public

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2022/097752 WO2023236125A1 (fr) 2022-06-09 2022-06-09 Commande de correctif en direct d'application pour détection de logiciel malveillant de dispositif grand public

Publications (1)

Publication Number Publication Date
WO2023236125A1 true WO2023236125A1 (fr) 2023-12-14

Family

ID=89117379

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/097752 WO2023236125A1 (fr) 2022-06-09 2022-06-09 Commande de correctif en direct d'application pour détection de logiciel malveillant de dispositif grand public

Country Status (1)

Country Link
WO (1) WO2023236125A1 (fr)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080313626A1 (en) * 2006-03-10 2008-12-18 Fujitsu Limited Applicable patch selection device and applicable patch selection method
CN102158369A (zh) * 2011-03-14 2011-08-17 杭州华三通信技术有限公司 一种补丁检查的方法和设备
CN103455359A (zh) * 2013-09-22 2013-12-18 金蝶软件(中国)有限公司 一种补丁安装方法、设备及系统
CN108090361A (zh) * 2016-11-22 2018-05-29 腾讯科技(深圳)有限公司 安全策略更新方法及装置
CN109165512A (zh) * 2018-08-16 2019-01-08 北京梆梆安全科技有限公司 一种应用程序的意图协议url漏洞检测方法及装置
CN114237665A (zh) * 2021-12-13 2022-03-25 安天科技集团股份有限公司 补丁更新方法、装置、计算设备及存储介质

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080313626A1 (en) * 2006-03-10 2008-12-18 Fujitsu Limited Applicable patch selection device and applicable patch selection method
CN102158369A (zh) * 2011-03-14 2011-08-17 杭州华三通信技术有限公司 一种补丁检查的方法和设备
CN103455359A (zh) * 2013-09-22 2013-12-18 金蝶软件(中国)有限公司 一种补丁安装方法、设备及系统
CN108090361A (zh) * 2016-11-22 2018-05-29 腾讯科技(深圳)有限公司 安全策略更新方法及装置
CN109165512A (zh) * 2018-08-16 2019-01-08 北京梆梆安全科技有限公司 一种应用程序的意图协议url漏洞检测方法及装置
CN114237665A (zh) * 2021-12-13 2022-03-25 安天科技集团股份有限公司 补丁更新方法、装置、计算设备及存储介质

Similar Documents

Publication Publication Date Title
US10154066B1 (en) Context-aware compromise assessment
Dini et al. Risk analysis of Android applications: A user-centric solution
US11870811B2 (en) Trusted execution security policy platform
US8346923B2 (en) Methods for identifying an application and controlling its network utilization
US11714884B1 (en) Systems and methods for establishing and managing computer network access privileges
US8769296B2 (en) Software signature tracking
US20080109871A1 (en) Policy management
US11714901B2 (en) Protecting a computer device from escalation of privilege attacks
US20230134122A1 (en) Continuous risk assessment for electronic protected health information
US20190347420A1 (en) Method and system for installing and running untrusted applications
US11943371B2 (en) Root-level application selective configuration
US20170193218A1 (en) Reducing Unregulated Aggregation Of App Usage Behaviors
KR101977428B1 (ko) 애플리케이션용 콘텐츠 핸들링 기법
Zungur et al. Borderpatrol: Securing byod using fine-grained contextual information
EP3779747B1 (fr) Procédés et systèmes permettant d'identifier un dispositif compromis par des tests actifs
US10282273B1 (en) Application monitoring using workload metadata
WO2023236125A1 (fr) Commande de correctif en direct d'application pour détection de logiciel malveillant de dispositif grand public
KR101040765B1 (ko) 확장된 보안 레이블을 이용하는 프로세스 및 파일 추적 시스템 및 프로세스 및 파일 추적 방법
Nazzal et al. Vulnerability classification of consumer-based IoT software
Inshi et al. CAPEF: Context-Aware Policy Enforcement Framework for Android Applications
Lee et al. Polyscope: Multi-policy access control analysis to triage android scoped storage
US20220366039A1 (en) Abnormally permissive role definition detection systems
US20230132611A1 (en) Abnormal classic authorization detection systems
Ahmad et al. AppBox: A Black-Box Application Sandboxing Technique for Mobile App Management Solutions
WO2024074199A1 (fr) Dispositif et procédé d'application sécurisée d'un correctif logiciel actif à une application

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22945270

Country of ref document: EP

Kind code of ref document: A1