WO2020132876A1 - Procédé et système de détection d'opération et dispositif électronique - Google Patents

Procédé et système de détection d'opération et dispositif électronique Download PDF

Info

Publication number
WO2020132876A1
WO2020132876A1 PCT/CN2018/123534 CN2018123534W WO2020132876A1 WO 2020132876 A1 WO2020132876 A1 WO 2020132876A1 CN 2018123534 W CN2018123534 W CN 2018123534W WO 2020132876 A1 WO2020132876 A1 WO 2020132876A1
Authority
WO
WIPO (PCT)
Prior art keywords
execution
execution subject
permission set
subject
preset
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/123534
Other languages
English (en)
Chinese (zh)
Inventor
徐贵斌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qi An Xin Security Technology Zhuhai Co Ltd
Qi An Xin Technology Group Inc
Qianxin Technology Group Co Ltd
Original Assignee
Qi An Xin Security Technology Zhuhai Co Ltd
Qi An Xin Technology Group Inc
Qianxin Technology Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qi An Xin Security Technology Zhuhai Co Ltd, Qi An Xin Technology Group Inc, Qianxin Technology Group Co Ltd filed Critical Qi An Xin Security Technology Zhuhai Co Ltd
Priority to PCT/CN2018/123534 priority Critical patent/WO2020132876A1/fr
Publication of WO2020132876A1 publication Critical patent/WO2020132876A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication
    • G06F21/33User authentication using certificates

Definitions

  • the present disclosure belongs to the field of network security, and specifically relates to an operation detection method, system and electronic equipment.
  • An aspect of the present disclosure provides an operation detection method, including: S1, before performing a specific operation, obtaining an execution subject performing the specific operation; S2, judging whether the execution subject has performed the specific operation according to the first set of permissions If not, execute operation S3; S3, obtain the operation state of the execution subject, and obtain the corresponding second permission set according to the operation state of the execution subject; S4, determine the execution subject according to the second permission set Whether it has the authority to perform the specific operation, if yes, perform operation S5, and if not, process the execution subject; S5, obtain a task including the specific operation, the task corresponds to an operation flow to perform at least one operation S6, judging whether the operation flow satisfies the preset operation flow, if yes, performing operation S7; if not, processing the execution body; S7, obtaining the instruction execution sequence corresponding to at least one operation in the task; S8, judging Whether the instruction execution sequence matches the preset instruction execution sequence, and if not, the execution body is processed.
  • step S6 determining whether the operation flow satisfies the preset operation flow includes: obtaining at least one operation corresponding to the operation flow; determining whether each operation in the at least one operation is consistent with the preset The corresponding operations in the operation flow are consistent.
  • the judging whether each operation in the at least one operation is consistent with the corresponding operation in the preset operation flow includes: judging whether the execution subject of each operation in the at least one operation is consistent with the preset operation The execution body of the operation corresponding to the process is consistent.
  • step S1 it further includes: S0, creating a first permission set, where the first permission set includes operation permissions of at least one execution subject in any operation state.
  • the method further includes: S0', creating at least one second permission set, wherein each second permission set corresponds to an operation state of an execution subject, and each of the The second set of rights includes the operation rights of the corresponding execution subject in the corresponding operation state.
  • the at least one second permission set is stored at the remote end, and in step S3, acquiring the corresponding second permission set according to the operating state of the execution subject includes: sending a request to the remote end, the request includes The execution subject information and its operation status; obtaining a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
  • step S3 acquiring the operation state of the execution subject includes at least: determining the operation state of the execution subject according to the calling mode of the execution subject, where the execution subject is directly called by the user, It is determined that the operation state of the execution body is the first operation state, and when the execution body is called by another execution body, it is determined that the operation state of the execution body is the second operation state.
  • step S8 determining whether the instruction execution sequence matches a preset instruction execution sequence includes: obtaining function call information in the instruction execution sequence, where the function call information includes function call times and/or functions Call sequence; determine whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence.
  • step S7 acquiring the instruction execution sequence corresponding to at least one operation in the task includes: acquiring the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
  • an operation detection system including: a first acquisition module for acquiring an execution subject performing a specific operation before performing a specific operation; a first determination module for determining based on a first set of permissions Whether the execution subject has the authority to perform the specific operation, if not, the second acquisition module is executed; the second acquisition module is used to acquire the operation state of the execution subject, and obtain the corresponding according to the operation state of the execution subject A second set of permissions; a second judgment module, used to determine whether the execution subject has the permission to perform the specific operation according to the second set of permissions, if so, execute the third acquisition module, and if not, perform the execution on the subject Processing; the third obtaining module is used to obtain the task including the specific operation, and the task corresponds to an operation flow for performing at least one operation; the third judgment module is used to judge whether the operation flow satisfies the preset operation flow, if yes , The fourth acquisition module is executed, if not, the execution body is processed; the fourth acquisition module is used to acquire
  • determining whether the operation flow satisfies the preset operation flow includes: acquiring at least one operation corresponding to the operation flow; determining whether each operation in the at least one operation is different from the operation The corresponding operations in the preset operation flow are consistent.
  • the third determination module determines whether each operation in the at least one operation is consistent with the corresponding operation in the preset operation flow, including: determining whether the execution subject of each operation in the at least one operation is It is assumed that the execution body of the operation corresponding to the operation flow is consistent.
  • the operation detection system further includes: a first creation module, configured to create a first set of permissions, the first set of permissions includes operation permissions of at least one execution subject in any operation state.
  • a first creation module configured to create a first set of permissions, the first set of permissions includes operation permissions of at least one execution subject in any operation state.
  • the operation detection system further includes: a second creation module for creating at least one second permission set, wherein each second permission set corresponds to an operating state of an execution subject, and each The second permission set includes the operation permission of the corresponding execution subject in the corresponding operation state.
  • a second creation module for creating at least one second permission set, wherein each second permission set corresponds to an operating state of an execution subject, and each The second permission set includes the operation permission of the corresponding execution subject in the corresponding operation state.
  • At least one second permission set is stored at the remote end, and the second acquiring module acquiring the corresponding second permission set according to the operating state of the execution subject includes: sending a request to the remote end, the request including the Execution subject information and its operation status; obtaining a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
  • the second acquiring module acquiring the operation state of the execution subject includes at least: determining the operation state of the execution subject according to the calling mode of the execution subject, where the execution subject is directly called by the user, It is determined that the operation state of the execution body is the first operation state, and when the execution body is called by another execution body, it is determined that the operation state of the execution body is the second operation state.
  • the fourth judgment module judges whether the instruction execution sequence matches the preset instruction execution sequence, including: obtaining function call information in the instruction execution sequence, and the function call information includes the number of function calls and/or function call sequence; Whether the function call information in the sequence matches the function call information in the preset instruction execution sequence.
  • the fourth acquiring module acquiring the instruction execution sequence corresponding to at least one operation in the task includes: acquiring the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
  • an electronic device including: a processor: a memory, storing computer-executable instructions, which when executed by the processor, causes the processor to execute: S1, Before performing a specific operation, obtain an execution subject performing the specific operation; S2, determine whether the executing subject has the authority to perform the specific operation according to the first set of permissions, if not, perform operation S3; S3, obtain the execution The operating state of the subject, and obtain the corresponding second permission set according to the operating state of the executing subject; S4, judging whether the executing subject has the permission to perform the specific operation according to the second permission set, and if so, performing operation S5, if No, the execution body is processed; S5, a task including the specific operation is acquired, the task corresponds to an operation flow for performing at least one operation; S6, whether the operation flow satisfies the preset operation flow is determined, and if so, Then perform operation S7; if not, process the execution body; S7, obtain the instruction execution sequence corresponding to at least one operation in the task;
  • determining whether the operation flow satisfies the preset operation flow includes: acquiring at least one operation corresponding to the operation flow; determining whether each operation in the at least one operation is The corresponding operations in the preset operation flow are consistent.
  • the processor determining whether each operation in the at least one operation is consistent with a corresponding operation in the preset operation flow includes: determining whether an execution subject of each operation in the at least one operation is consistent with the preset operation The execution body of the operation corresponding to the process is consistent.
  • the processor before executing the step S1, the processor further executes: S0, creating a first permission set, where the first permission set includes operation permissions of at least one execution subject in any operation state.
  • the processor before executing the step S1, the processor further executes: S0' to create at least one second permission set, where each second permission set corresponds to an operation state of an execution subject, and each Each of the second permission sets includes operation permissions of the corresponding execution subject in the corresponding operation state.
  • At least one second permission set is stored at the remote end, and when the processor executes the step S3, acquiring the corresponding second permission set according to the operating state of the execution subject includes: sending a request to the remote end, The request includes the execution subject information and its operation status; obtaining a second permission set sent by the remote end, where the second permission set is returned by the remote end in response to the request.
  • acquiring the operation state of the execution body includes at least: determining the operation state of the execution body according to the calling mode of the execution body, wherein the execution body is When directly called by a user, it is determined that the operation state of the execution body is the first operation state, and when the execution body is called by another execution body, the operation state of the execution body is determined to be the second operation state.
  • the processor determines whether the instruction execution sequence matches the preset instruction execution sequence, including: acquiring function call information in the instruction execution sequence, and the function call information includes function call times and/or function call order ; Determine whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence.
  • acquiring the instruction execution sequence corresponding to at least one operation in the task includes: acquiring the instruction execution sequence corresponding to at least one operation in the task from the stack memory.
  • Another aspect of the present disclosure provides a computer-readable medium storing computer-executable instructions, which when executed are used to implement the method as described in any one of the above.
  • Another aspect of the present disclosure provides a computer program, the computer program including computer-executable instructions, which when executed are used to implement the method according to any one of the above.
  • FIG. 1 schematically shows a flowchart of an operation detection method according to an embodiment of the present disclosure.
  • FIG. 2 schematically shows a legal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure.
  • FIG. 3 schematically shows an illegal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure.
  • FIG. 4 schematically shows a block diagram of an operation detection system according to an embodiment of the present disclosure.
  • FIG. 5 schematically shows a block diagram of an electronic device according to another embodiment of the present disclosure.
  • the technology of the present disclosure may be implemented in the form of hardware and/or software (including firmware, microcode, etc.).
  • the technology of the present disclosure may take the form of a computer program product on a computer-readable medium storing instructions, which may be used by or in conjunction with an instruction execution system.
  • a computer-readable medium may be any medium that can contain, store, transfer, propagate, or transfer instructions.
  • computer-readable media may include, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, devices, or propagation media.
  • Computer-readable media include: magnetic storage devices, such as magnetic tape or hard disk (HDD); optical storage devices, such as compact disk (CD-ROM); memory, such as random access memory (RAM) or flash memory; and/or wired /Wireless communication link.
  • magnetic storage devices such as magnetic tape or hard disk (HDD)
  • optical storage devices such as compact disk (CD-ROM)
  • memory such as random access memory (RAM) or flash memory
  • RAM random access memory
  • FIG. 1 schematically shows a flowchart of an operation detection method according to an embodiment of the present disclosure.
  • the operation detection method of the embodiment of the present disclosure includes the following operations:
  • Specific operations in this disclosure refer to some sensitive operations that may cause dangerous consequences, including but not limited to executable file loading, memory operations, file operations, network access, port monitoring, registry key operations, sensitive windows Message sending, etc.
  • the present disclosure monitors the above-mentioned specific operations in real time in the operating system, and there may be multiple monitoring methods.
  • "hooking” technology can be used.
  • "hooking” is a security monitoring method commonly used in the field of computer security. It can hook some application programming interfaces (APIs).
  • APIs application programming interfaces
  • execution subject performing this specific operation includes but is not limited to the operating system itself, applications installed on the operating system, and the like. Before executing the specific operation, the execution subject will obtain the information of the execution subject through the above monitoring means, including but not limited to the name of the execution subject, creation time, location index, etc.
  • the Windows 10 platform has 35 million applications
  • the IOS platform has 2.1 million applications
  • the Android platform has 2.6 million applications.
  • the operations involved in these applications are countless.
  • the specific operations of each application are determined by means of a blacklist or whitelist, which requires huge resources to collect the specific operations and legality of each application.
  • a first permission set is created, which is called a "minimum behavior permission set", and the set includes operation permissions of at least one execution subject in any operation state.
  • the operation state of the execution subject in the present disclosure refers to the state that the execution subject is in when performing the specific operation, for example, the execution subject is a winword program, which can open a word document at runtime, if the winword program is actively run by the user , Then its operating state is active running state, if the winword program is run by other program calls, then its operating state is passive running state.
  • the opened word document will be displayed in the form of a window, then its operating state is the window state. If the opened word document will only run in the background and not display, then its operating state is Non-windowed state.
  • the first permission set in the present disclosure only relates to the operation permission of the execution subject in "any operation state", and the operation permission in the "different operation state" will be described later.
  • the first set of permissions provided by the present disclosure includes at least the operating permissions of the execution subject in any operating state:
  • the application can only operate (read, write, open, delete, etc.) files created by itself or directly or indirectly created by the same installation package with itself;
  • the application does not allow cross-process operations on other processes
  • User private data includes but is not limited to documents, photos, etc.
  • the default editing program is subject to the registration in the operating system registry, for example, the word document only allows winword program or WPS operation;
  • the key registry entries include but are not limited to the browser homepage, self-starting items, default program settings for various types of files, system startup settings, etc.;
  • System function programs include, but are not limited to, shell programs, registry editors, scheduled tasks, and disk file registry permission change programs;
  • S103 Acquire the operation state of the execution subject, and acquire the corresponding second permission set according to the operation state of the execution subject.
  • the operation state of the execution subject has been explained in the above operation S102, and will not be repeated here.
  • the first permission set set in the above operation S102 can filter any risky operation.
  • security software which has the operation of detecting whether the system-wide executable files are infected by viruses, but is limited by The limitation of the first permission set cannot operate other applications. Therefore, if only the first permission set of the present disclosure is used for the determination, some special applications such as security software will generate "false positives".
  • the present disclosure needs to further determine the execution subject that does not satisfy the first permission set, thereby introducing the second permission set of the present disclosure.
  • each second permission set corresponds to an operating state of an execution subject, and each second permission set Including the operation authority of the corresponding execution subject in the corresponding operation state.
  • the second set of permissions provides:
  • the winword program When the user actively executes the winword program, it does not have the authority to operate the non-corresponding object, that is: when opening the word document A, the winword program only has the single authority to operate A, and does not have the authority to operate B, C and other word documents or non- Word document permissions.
  • the second permission set specifies the different permissions of the winword program under the two operating states of "active running state” and "passive running state”.
  • the operating state of the executive body can be determined according to the calling mode of the executive body, where the executive body is directly called by the user, and the operating state of the executive body is determined to be the active running state. When other executive bodies are called, it is determined that the operating state of the executive body is a passive running state.
  • the operation state of the execution subject can be determined according to the operation mode of the execution subject on the execution object.
  • the winword program is used as an example. If the opened word document is displayed in the form of a window, Then its operation state is window state. If the opened word document will only run in the background and not display, then its operation state is non-window state.
  • the above-mentioned embodiments are merely examples for explaining different operating states of the execution body, and the operating states are not limited to the above two embodiments.
  • the operation state acquired in operation S103 is not limited to one operation state, and multiple operation states to which it belongs can also be acquired for the same execution body at the same time (for example, the winword program that can be acquired simultaneously is the active execution state and the window state) For subsequent determination.
  • each second permission set corresponds to at least one operating state of an execution subject, so the number of second permission sets is extremely large. Therefore, the present disclosure may store the created second permission set at the remote end (eg, server side, cloud, etc.), and when the client implements the present disclosure, the client sends a request to the remote end, the request includes the execution subject information and its operation status, The remote end responds to the request, retrieves the corresponding second permission set according to the execution subject information and its operation status, and sends it to the client. Furthermore, after obtaining the second permission set, the client may locally cache the execution subject information and the operation state of the second permission set.
  • the remote end eg, server side, cloud, etc.
  • the client When the client needs to obtain the second permission set again, it can first query from the local cache, and if it does not exist, then send a request to the remote end.
  • the client when the client installs the application program (or other execution agent), it obtains the second permission set of various operating states corresponding to the application program (or other execution agent) from the remote end And save it locally. In this way, when the second permission set is subsequently acquired, it can be directly called from the local.
  • the second permission set includes the operation permission of the corresponding execution subject in the corresponding operation state, so it is easy to understand the determination process in operation S104, and details are not described here.
  • the present disclosure makes authority determination from the operational status of the executive body, and is no longer limited to "application behavior, application functions and types", and can more accurately determine the "over-right behavior" of the executive body. .
  • the second authority set is required to further judge it.
  • its corresponding second permission set specifies that it has the permission of “can be run automatically and can be connected to the network without user operation”, so it can pass the determination of the second permission set. It can be seen from the above example that the setting of the second permission set can avoid the "false positive" of the first permission set to some specific execution subjects.
  • the present disclosure sets the second permission set on the one hand, it not only prevents the "false positives" of the first permission set, but also strengthens the division of permissions on the execution subject, so that the execution subject can be protected from the first permission
  • the set of "false positives” affects its normal function, and can restrict it from other specific operations with security threats.
  • Xshell Taking Xshell as an example, it is mostly used to remotely manage servers, but there are backdoors in multiple versions of it, and users will secretly upload user server accounts and passwords when using it.
  • the first permission set specifies "the application is not allowed to access the internal and external networks and device nodes in the network", it does not meet the determination of the first permission set.
  • the second permission set of the present disclosure can determine different network connection permissions according to the type of application program, so that different application programs can accurately connect to a certain type or a certain network or networks. For example, printers, cameras, etc. can only be connected to a fixed IP address; applications for intranet communication can only be connected to the intranet; server management tools such as xshell can only connect to the network connected by the user for this operation; applications can only use specific Network protocol to connect to the network, etc. Taking Xshell as an example again, its second set of permissions in various operating states is:
  • Xshell When Xshell is determined based on the above second permission set, it does not allow Xshell to access the network other than the network to which the user is connected in this operation, and cuts off the network path for uploading the user's server account and password to avoid security threats.
  • the "task” is the smallest unit that realizes the corresponding function.
  • Each task includes one or more operations (including specific operations) that are executed in sequence. Performing these operations in a fixed order to complete the task is the task. Operating procedures.
  • the acquired task may specifically include: one or more operations included in the task, the execution order of the one or more operations, and the execution object of each operation (for example, opening a word document through a winword program, the word document is For the implementation object).
  • the execution object of each operation for example, opening a word document through a winword program, the word document is For the implementation object.
  • This disclosure determines whether the operation flow of a task is legal by determining whether it conforms to a preset operation flow.
  • Each task should have a set of legal operation flow in order to realize the corresponding function, which is the preset operation flow mentioned in this disclosure .
  • the following uses "remote start Shell program cmd.exe” as an example to explain the legal operation flow and the illegal operation flow of the present disclosure.
  • FIG. 2 illustrates a legal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure.
  • a task generated by the normal remote control machine A is “start the Shell program cmd.exe on the target server B”, and the operation process performed by the task is:
  • FIG. 3 illustrates an illegal operation flowchart of “remotely launching Shell program cmd.exe” in an embodiment of the present disclosure.
  • a task generated by the hacker remote control machine A is “starting the Shell program cmd.exe on the target server B”, and the operation process performed by the task is:
  • the attacker's virus attack code injects the command to start the shell into spoolsv.exe;
  • FIGS. 2 to 3 of the present disclosure the two same tasks and the functions achieved are to start the shell program cmd.exe, but the operation flow performed by them is different.
  • the illegal operation process is: start cmd.exe through "printer management service program: spoolsv.exe”.
  • operation S106 of the present disclosure by determining whether the operation flow of the task is legal is by determining whether it conforms to the preset operation flow, it can be determined whether the task to which the specific operation belongs is legal. Specifically, when determining the operation flow, the present disclosure first obtains the operation corresponding to the operation flow, and then needs to determine whether each operation is consistent with the corresponding operation in the preset operation flow.
  • the illegal operation process includes “start spoolsv.exe” and “spoolsv.exe start Shell program cmd.exe”; the corresponding legal operation process is “tlntsvr.exe start tlntsess.exe”, “Tlntsess.exe starts Shell program cmd.exe”.
  • operation S106 of the present disclosure it is also necessary to determine whether the execution body of each operation is consistent with the execution body of the operation corresponding to the preset operation flow. If they are not consistent, the entire operation flow is considered illegal.
  • the “task” in operation S107 of the present disclosure is a task including a specific operation mentioned earlier in the present disclosure.
  • the present disclosure obtains at least one operation from the task (the operation may be a specific operation or other operations in the task), and obtains an instruction execution sequence corresponding to the execution of the operation.
  • the instruction execution sequence of the present disclosure is obtained from the stack memory in the operating system (the stack memory is automatically allocated, used, and recycled by the operating system, and cannot be controlled by the user).
  • the preset instruction execution sequence in operation S108 of the present disclosure refers to a legal instruction execution sequence.
  • the instruction execution sequence acquired from the stack memory and the preset instruction execution sequence are matched to determine whether the instruction execution sequence acquired from the stack memory is legal, and then determine whether the corresponding operation is legal.
  • one embodiment of the present disclosure is to obtain the function call information in the instruction execution sequence.
  • the function call information includes the number of function calls (if a function is called 0 times, it means that the function is not Call) and/or function call sequence to determine whether the function call information in the instruction execution sequence matches the function call information in the preset instruction execution sequence. If the match is successful, the specific operation performed by the execution subject is released, otherwise, the specific operation performed by the execution subject is intercepted.
  • Table 1 schematically shows the legal instruction execution sequence of “remote start Shell program cmd.exe” in the embodiment of the present disclosure:
  • one of the instructions is "kernel32! CreateProcessW", which means: "The function "CreateProcessW” in the dynamic link library "kernel32.dll” is called Once, and the function of calling this function is to “start a specified program.” Therefore, when determining whether the instruction execution sequence matches the preset instruction execution sequence, the present disclosure can be matched by the function call information in the respective sequence, Including whether the functions with different functions have been called, the number of calls and the order of calls.
  • FIG. 4 schematically shows a block diagram of an operation detection system according to an embodiment of the present disclosure.
  • the operation detection system 400 includes a first acquisition module 410, a first judgment module 420, a second acquisition module 430, a second judgment module 440, a third acquisition module 450, a third judgment module 460, and a fourth acquisition Module 470 and fourth judgment module 480.
  • the operation detection system 400 may perform the method described above with reference to FIG. 1 to implement detection of specific operations.
  • the first obtaining module 410 is used to obtain the executing subject performing the specific operation before performing the specific operation; the first determining module 420 is used to determine whether the executing subject has the right to perform the specific operation according to the first set of permissions, If not, the second obtaining module 430 is executed; the second obtaining module 430 is used to obtain the operating state of the executing subject, and obtains the corresponding second permission set according to the operating state of the executing subject; Two sets of permissions determine whether the execution subject has the permission to perform the specific operation.
  • the third acquisition module 450 is executed; if not, the execution subject is processed; the third acquisition module 450 is used to acquire the task including the specific operation , The task corresponds to an operation flow for performing at least one operation; the third determination module is used to determine whether the operation flow satisfies the preset operation flow, if yes, execute the fourth acquisition module, and if not, perform on the execution subject Processing; the fourth obtaining module is used to obtain the instruction execution sequence corresponding to at least one operation in the task; the fourth judging module is used to judge whether the instruction execution sequence matches the preset instruction execution sequence, and if not, the execution body is processed .
  • the module 480 may be combined and implemented in one module, or any one of the modules may be split into multiple modules. Alternatively, at least part of functions of one or more of these modules may be combined with at least part of functions of other modules and implemented in one module.
  • the first acquisition module 410, the first judgment module 420, the second acquisition module 430, the second judgment module 440, the third acquisition module 450, the third judgment module 460, the fourth acquisition module 470 and the third At least one of the four judgment modules 480 can be at least partially implemented as a hardware circuit, such as a field programmable gate array (FPGA), a programmable logic array (PLA), a system on chip, a system on a substrate, a system on a package, a dedicated An integrated circuit (ASIC) may be implemented in any other reasonable manner such as hardware or firmware that integrates or encapsulates the circuit, or an appropriate combination of software, hardware, and firmware.
  • FPGA field programmable gate array
  • PLA programmable logic array
  • ASIC dedicated An integrated circuit
  • the first acquisition module 410, the first judgment module 420, the second acquisition module 430, the second judgment module 440, the third acquisition module 450, the third judgment module 460, the fourth acquisition module 470 and the fourth judgment module 480 At least one of can be at least partially implemented as a computer program module, and when the program is run by a computer, the function of the corresponding module can be performed.
  • FIG. 5 schematically shows a block diagram of an electronic device according to another embodiment of the present disclosure.
  • the electronic device 500 includes a processor 510 and a computer-readable storage medium 520.
  • the electronic device 500 may perform the method described above with reference to FIG. 1 to implement detection of specific operations.
  • the processor 510 may include, for example, a general-purpose microprocessor, an instruction set processor and/or related chipsets, and/or a dedicated microprocessor (for example, an application specific integrated circuit (ASIC)), and so on.
  • the processor 510 may also include on-board memory for caching purposes.
  • the processor 510 may be a single processing unit or a plurality of processing units for performing different actions of the method flow according to the embodiment of the present disclosure described with reference to FIG. 1.
  • the computer-readable storage medium 520 may be, for example, any medium capable of containing, storing, transmitting, transmitting, or transmitting instructions.
  • readable storage media may include, but is not limited to, electrical, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices, devices, or propagation media.
  • Specific examples of readable storage media include: magnetic storage devices such as magnetic tapes or hard disks (HDD); optical storage devices such as compact disks (CD-ROM); memories such as random access memory (RAM) or flash memory; and/or wired /Wireless communication link.
  • the computer-readable storage medium 520 may include a computer program 521, which may include code/computer-executable instructions, which when executed by the processor 510, cause the processor 510 to perform, for example, the method flow described above in connection with FIG. 1 and Any deformation.
  • the computer program 521 may be configured to have computer program code including, for example, computer program modules.
  • the code in the computer program 521 may include one or more program modules, for example, including 521A, module 521B,... It should be noted that the division mode and number of modules are not fixed, and those skilled in the art may use appropriate program modules or program module combinations according to actual situations.
  • the processor 510 may be For example, the method flow described above in connection with FIGS. 2 to 3D and any variations thereof are performed.
  • At least one of the first acquisition module 410, the first judgment module 420, the second acquisition module 430, the second judgment module 440, the third acquisition module 450, and the third judgment module 460 may be implemented as a reference

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de détection d'opération consistant : S1, à obtenir un sujet d'exécution exécutant une opération spécifique ; S2, à déterminer, en fonction d'un premier ensemble d'autorisations, si le sujet d'exécution a l'autorisation d'exécuter l'opération spécifique ; S3, à obtenir l'état de fonctionnement du sujet d'exécution et un second ensemble d'autorisations correspondant ; S4, à déterminer, en fonction du second ensemble d'autorisations, si le sujet d'exécution a l'autorisation d'exécuter l'opération spécifique ; si tel est le cas, à exécuter l'opération S5, et si tel n'est pas le cas, à traiter le sujet d'exécution ; S5, à obtenir une tâche comprenant l'opération spécifique, la tâche correspondant à un processus d'opération ; S6, à déterminer si le processus d'opération satisfait ou non un processus d'opération prédéfini, et si tel n'est pas le cas, à traiter le sujet d'exécution ; S7, à obtenir une séquence d'exécution d'instructions correspondant à au moins une opération dans la tâche ; et S8, à déterminer si la séquence d'exécution d'instructions correspond à une séquence d'exécution d'instructions prédéfinie, et si tel n'est pas le cas, à traiter le sujet d'exécution. L'invention concerne également un dispositif de détection de pression et un dispositif électronique.
PCT/CN2018/123534 2018-12-25 2018-12-25 Procédé et système de détection d'opération et dispositif électronique Ceased WO2020132876A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/123534 WO2020132876A1 (fr) 2018-12-25 2018-12-25 Procédé et système de détection d'opération et dispositif électronique

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/123534 WO2020132876A1 (fr) 2018-12-25 2018-12-25 Procédé et système de détection d'opération et dispositif électronique

Publications (1)

Publication Number Publication Date
WO2020132876A1 true WO2020132876A1 (fr) 2020-07-02

Family

ID=71127292

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/123534 Ceased WO2020132876A1 (fr) 2018-12-25 2018-12-25 Procédé et système de détection d'opération et dispositif électronique

Country Status (1)

Country Link
WO (1) WO2020132876A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067911A (zh) * 2012-12-17 2013-04-24 中国联合网络通信集团有限公司 控制硬件模块使用的方法和设备
CN104166818A (zh) * 2014-07-02 2014-11-26 百度在线网络技术(北京)有限公司 权限控制方法、装置和系统
US20160098570A1 (en) * 2013-08-28 2016-04-07 Huawei Device Co., Ltd. Method and Apparatus for Determining Permission of Application Program
CN107944258A (zh) * 2017-11-21 2018-04-20 广东欧珀移动通信有限公司 以服务方式启动应用的控制方法、装置、存储介质及终端

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067911A (zh) * 2012-12-17 2013-04-24 中国联合网络通信集团有限公司 控制硬件模块使用的方法和设备
US20160098570A1 (en) * 2013-08-28 2016-04-07 Huawei Device Co., Ltd. Method and Apparatus for Determining Permission of Application Program
CN104166818A (zh) * 2014-07-02 2014-11-26 百度在线网络技术(北京)有限公司 权限控制方法、装置和系统
CN107944258A (zh) * 2017-11-21 2018-04-20 广东欧珀移动通信有限公司 以服务方式启动应用的控制方法、装置、存储介质及终端

Similar Documents

Publication Publication Date Title
EP3671508B1 (fr) Personnalisation de noyaux de système d'exploitation avec des modules de noyau sécurisés
US11102220B2 (en) Detection of botnets in containerized environments
US10242186B2 (en) System and method for detecting malicious code in address space of a process
US12199954B2 (en) Trusted cyber physical system
JP6055574B2 (ja) セキュアなオペレーティングシステム環境へのコンテキストベースのスイッチング
US10033745B2 (en) Method and system for virtual security isolation
US20170091482A1 (en) Methods for data loss prevention from malicious applications and targeted persistent threats
US12212595B2 (en) Techniques for protecting applications from unsecure network exposure
US10671730B2 (en) Controlling configuration data storage
US10339307B2 (en) Intrusion detection system in a device comprising a first operating system and a second operating system
US9785775B1 (en) Malware management
CN103430153A (zh) 用于计算机安全的接种器和抗体
TWI711939B (zh) 用於惡意程式碼檢測之系統及方法
US11366904B2 (en) Secure configuration data storage
US12292966B2 (en) Systems and methods for folder and file sequestration
WO2020132876A1 (fr) Procédé et système de détection d'opération et dispositif électronique
WO2020132877A1 (fr) Procédé et système de détection d'opération et dispositif électronique
Ko et al. A mantrap-inspired, user-centric data leakage prevention (DLP) approach
Revazova et al. RASP for LSASS: Preventing Mimikatz-Related Attacks
US12505199B2 (en) Device protection using pre-execution multi-factor process authentication
US20240111855A1 (en) Device protection using pre-execution command interception and evaluation
KR101415403B1 (ko) 공유 가능한 보안공간 제공시스템 및 그 방법
WO2025189909A1 (fr) Procédé et appareil de traitement d'application, et système de défense contre les attaques
CN120671126A (zh) 恶意程序的处理方法、装置、设备、存储介质及程序产品
CN119442282A (zh) 一种集群检测方法、装置、设备、介质及产品

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18944927

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18944927

Country of ref document: EP

Kind code of ref document: A1